Content Security Policy (CSP) Considerations

A Content Security Policy (CSP) can be used by administrators to control what assets a user visiting a landing page is able to load, and from what domain(s) they are allowed. 

This article is for administrators who may have a CSP present on their landing page and need to know which directives to add our domain to in order to allow Chili Piper Concierge resources to load, such as our concierge.js script file and related iframe popup window.

Directives

As a fallback, this directive is used:

• default-src

At a minimum, an administrator should include {your_domain}.chilipiper.com to their "default-src" CSP directive. Where {your_domain} is your account's subdomain.

That way, if none of the other directives (listed below) are present, it will still allow Chili Piper to function.

CSP has several specific directives that may need to be modified to allow-list Chili Piper's domain if they are present.

The directives that may impact Chili Piper from loading include:

• connect-src
• script-src
• frame-src

It is recommended that you include the domain mentioned above to all of these directives in order for Chili Piper to function correctly. 

Information on this page is subject to change. If you have concerns about the domain changing, please consider using wildcards whenever possible to allow Chili Piper resources to function. This would mean adding *.chilipiper.com, where the  asterisk ( * ) is the wildcard instead of your account's subdomain.

If your landing page does not currently have an active CSP, the above information will not be required for Chili Piper or Concierge to function.

If you don't have access to modify your CSP, or are not sure if you have one, please reach out to your web development team for more information.

Failure to properly include Chili Piper in a CSP can result in Concierge not loading when a form is submitted. If you're unsure if this is the cause, please reach out to Chili Piper's Customer Love team.